Has your privacy gone up in smoke?
Information about the purchase and use of cannabis can be highly sensitive. What can retailers do to protect their consumers’ privacy?
The legalization of the use and sale of recreational cannabis in Canada last year has raised a number of notable legal concerns, with privacy becoming a headline issue that lawyers, consumers, and businesses need to keep in mind.
Cannabis is still not legal in many countries, and even in Canada its consumption continues to be highly stigmatized. As a result, information regarding the purchase and use of cannabis continues to be highly sensitive, even leaving aside the medical data that has been the major focus of privacy advocates pre-legalization.
While the details around the sale and consumption of recreational cannabis are still being developed, at this point many consumers have to provide a significant amount of personal information to buy the product. In part, this is because they can only access the product by ordering online. In Ontario at the moment, consumers can only order online through the Ontario Cannabis Store, though this is slated to change in 2019. In British Columbia, it is still virtually impossible for most consumers to purchase cannabis in person – a handful of licensed stores were open in the province at the time of writing, none of which are located in the Lower Mainland. Most have no choice but to order their product online. When they do so, they are required to provide their names, addresses, and credit card information. A date of birth is necessary to access most cannabis retailers' websites, which is then stored through online cookies for the consumers' convenience.
Any storage of personal information creates a risk that it could be accessed inappropriately, with consumer privacy breached. This is what happened within days of legalization in Ontario. On Nov. 1, 2018, the Ontario Cannabis Store learned that certain personal information of some 4,500 of its customers had been accessed through a vulnerability in Canada Post’s online tracking tool. This breach also affected the individuals who had signed for package delivery, even if they had not purchased the cannabis in the first place.
In addition to the normal risks resulting from data breaches – ranging from unauthorized credit card purchases to identity theft – public disclosure of the mere fact of a cannabis purchase could have a significant impact on certain individuals. Some employers are known to prohibit the consumption of cannabis altogether by their employees. As such, a data breach disclosing that an employee under such a prohibition had purchased cannabis from an online store could have significant consequences for that employee.
For cannabis consumers who live in apartment complexes or condominiums, an additional risk to privacy is the requirement that the person signing for the package delivery (such as a concierge or building manager) provide proof of age before accepting the parcel. This unique requirement means that the resident is immediately revealed as having ordered cannabis. Some buildings are refusing to accept packages that require proof of identification entirely.
Retailers and consumers should be considering what personal information needs to be gathered in the first place. British Columbia’s Office of the Information and Privacy Commissioner has released a Guidance Document for private cannabis retailers and purchasers, explaining how BC’s Personal Information Protection Act should apply. It encourages cannabis businesses to collect and store the minimum amount of personal information. For example, it encourages cannabis businesses to review personal identification for in-person sales to ensure minimum age compliance, but not to record the individual’s information. Federally, the Personal Information Protection and Electronic Documents Act provides that businesses must limit the amount and type of personal information gathered to the minimum amount necessary to fulfil the required purposes. However, in some cases retailers may not even realize they are collecting personal information – for example, in Prince Edward Island the government-run retailer was using a device to scan ID cards in order to verify the legitimacy of the card, but was unknowingly and unintentionally storing the personal information from the ID card on the scanning device.
The processing of credit card purchases of cannabis is an additional source of privacy risk. Credit card statements disclose cannabis purchases – for example, transactions with the Ontario Cannabis Store show up on statements as "OCS/SOC", and purchases from the British Columbia Cannabis Store are shown as “BCS Online Vancouver.” Canadians on the move are also potentially at risk of credit card processing occurring in a jurisdiction where cannabis is illegal and having this information disclosed to law enforcement in those jurisdictions. The Office of the Privacy Commissioner plans to issue guidance for both retailers and consumers on cannabis transactions.
In sum, the sale and use of recreational cannabis as it currently transpires poses risks to individuals’ privacy.
As the industry develops, it is likely that many of these issues will be addressed and resolved. In the meantime, cannabis consumers and businesses should bear these risks in mind, and adapt accordingly. For businesses this will likely mean conducting privacy and security assessments to ensure that, having identified and mitigated the relevant risks, any personal information they are collecting is appropriately managed and protected.